Checklist for team leaders
Establish policies and processes
- Review telework agreements and policies to ensure they comply with your agency’s information security policies.
- Create a clear, written data handling policy that accounts for realities of working outside a physical office (e.g., working on the laptop in view of family members).
- Enforce personal privacy requirements for records.
- Keep all policies accessible in a place where everyone knows to look for them (like Confluence or other team collaboration tool).
- Track removal and return of potentially sensitive materials, such as personnel records.
Enforce secure login practices
- Choose a password manager and make sure teams adopt it for secure, unique passwords across all logins.
- Enforce two-factor authentication across agency systems and employee logins.
- Provide training on use of password management and two-factor authentication (this can be a simple half-day workshop to onboard everyone to the tools and practice using them).
- Explicitly forbid the use of passwords written on sticky notes or browser auto-fill passwords for agency system logins.
Ensure secure systems access for teams
- Set up a Virtual Private Network (VPN) for secure internet connection, and confirm that your employees can access it from their homes.
- Make sure the right employees can securely login and access systems remotely (this can mean expanding access for some employees and limiting it for others).
- Consider reimbursing employees if they need to use their mobile hotspot for remote systems access.
Provide security training
- Information systems security training (can be provided by third-party vendor)
- Workshops for setting up and using password manager and two-factor authentication
- Training on recognizing and avoiding phishing attacks (here’s a simple quiz you can use to test employee awareness)
Checklist for teams
Beware of phishing / malware / hacking
- Emails that ask you to confirm personal information
- Email addresses or websites that don’t look genuine
- High-intensity subject lines or messaging (i.e., “Urgent COVID Directive!”)
- Don’t open attachments you don’t recognize
Use secure login practices
- Onboard to the password manager tool your team is using
- Set an example to others if your team isn’t collectively using a password manager (and perhaps offer to lead a one-hour workshop to help colleagues get set up)
- Avoid browser password autofill or writing passwords on sticky notes
Protect your devices and hardware
- Enable remote lock-out and re-set on your phone / laptop
- Require password entry on power-up and login
- Close laptop and remove CAC / PIV card when not in use
- Encrypt hard disks (and wipe disks before giving away or discarding)
- Never leave devices in the car or out of your sight
- Lock your doors when you leave the house
- Don’t use a thumb drive unless you know where it came from
Practice good security habits
- Comply with organizational policies and with any additional requirements spelled out in your telework agreement.
- Use only your agency services and tools for email, file sharing, and other work activities – not your personal accounts.
- Avoid unsecured WiFi in public places when working on sensitive information (mobile phone hotspot is also not entirely secure). Use agency VPN for secure connection.
- Keep software and systems up-to-date – the latest version will always have the best security fixes. This includes:
- Cell phone operating system
- Web browser
- Laptop / computer operating system
- Web tools and apps (video conferencing, etc.)
- Security & IT (U.S. Office of Personnel Management)
- Telework Security Basics (NIST)
- Enterprise VPN Security (U.S. Department of Homeland Security)
- Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions (NIST)
- Cyber-Safety for Mobile Workers (British Columbia Office of the Chief Information Officer)
- Cybersecurity Recommendations for critical infrastructure using videoconferencing (CISA)
- Guidance for securing videoconferencing (CISA)
- Back to basics: Multi-factor authentication (MFA) (NIST)
- Why you should use a password manager, and how to get started (How To Geek)
- 5 ways to spot a phishing email (National Cybersecurity Alliance)
- Selecting and Safely Using Collaboration Servicesfor Telework (National Security Agency)
- Zoom security fixes and Zoom bombing (John O-Duinn)
Get customizable training for small or large groups at your agency on remote / telework best practices.
Get personalized coaching and implementation help for building effective distributed government teams.
Get one-on-one consulting for orientation on telework policies and best practices, along with recommendations for your agency.